Data security advice for journalists from #NICAR2016

In 2013, ProPublica ran a story stating that the NSA was "winning its long-running secret war on encryption".

The story was a collaboration between ProPublica's Jeff Larson, and Nicole Perlroth and Scott Shane of The New York Times.

Three years later, Larson, ProPublica's data editor, is still working with the Snowden files and notes that surveillance is now a by-product of using the technology many of us now take for granted in our everyday lives.

Most of this data-gathering is a neutral process. Telecoms companies, for example, collect data on users for billing purposes.

Speaking at the NICAR conference in Denver, Colorado, yesterday (March 10), Larson noted that while people's records were "looked at", their data was not being "collected" for surveillance purposes – unless they happened to be speaking to known criminals.

"It gets dicey if they want to add new data, but if it's something the company already tracks they can do it."

End-to-end encryption tools

But what if you are dealing with sensitive information or a source who doesn't want to go public?

Larsen recommends Tor Messenger, a chat app which runs over Tor and "gives you as true as possible an off-the-record conversation".

Quinn Norton, a journalist who says she has been hanging out with hackers for "far, far too long," advises against using Slack and Twitter direct messages for anything you wouldn't want anyone else to see.

Instead, she highlights Signal as a chat app which is easy to install with a one-click link, so good for sources who are not tech-savvy.

SMSSecure is an Android-only fork of Signal for people who have SMS but no data connections, making it a good way of communicating with people in areas such as Africa and Asia where feature phones are still popular.

Phishing and malware

Another thing for journalists to be especially aware of is malware, a program executed on your computer in some way, usually by accident, that allows someone else to spy on you or control what your computer is doing.

"Beware email attachments," said Norton. "Phishing emails are an email with an attachment that looks like one thing but is in fact malware."

Andy Boyle, a reporter turned web developer for NBC News Breaking News, also advised journalists to "never pick up a USB drive and plug it into anything".

This includes USBs distributed at events and given to you by a source.

Norton is part of a team currently developing a "USB cleaner" comprised of a Raspberry Pi with two USB slots, allowing you to copy files from a "doubtful" USB to a USB you know is safe.

Until then, if you have to use a suspicious USB, it's a good idea to have an old computer in your office that is not connected to the Wi-fi or Ethernet network, said Norton, just so you can figure out what you've got.

"Hot glue-gun the Ethernet port so nobody can get a bad idea when you're not around," she added.